Preparing Authentication Profiles

With Privileged Access Service, you can require multi-factor authentication for two distinct situations:

• As part of the login process so that users who are attempting to log in to Delinea-managed computers must provide multiple forms of authentication before they are granted access.

• As part of a re-authentication process so that users who are attempting to use Application, Network, and Desktop rights on Windows machines, orcommand rights with elevated privileges or in a restricted shell on UNIXmachines, must provide a password and another form of authentication before they can execute the selected command.

To configure the types of authentication challenges allowed in each situation, you can prepare one or more authentication profiles in the Admin Portal. If you have already configured authentication profiles for other purposes, you can reuse those profiles for multi-factor authentication or add new profiles specifically for the computers you manage using Delinea Server Suite. You can prepare one profile to use for both login access and for the use elevated privileges or you can prepare separate profiles for each situation.

To create an authentication profile:

The first step in preparing authentication profiles is to create the profile.

1. Open a browser and log on to the Privileged Access Service using your customer-specific URL.

2. Switch to the administrative portal, then click Settings and click Authentication.

   Three default authentication profiles are available out-of-the-box:

   • Default New Device Login Profile: Uses Password for the first challenge and Mobile Authenticator, Text message (SMS) confirmation code, Emailconfirmation code, or OATH OTP Client for the second challenge with a 12 hours pass-through duration.

   • Default Other Login Profile: Uses Password for the first challenge and no secondary challenge with a 12 hours pass-through duration.

   • Default Password Reset Profile: Gives the option for users to use Mobile Authenticator, Text message (SMS) confirmation code, Email confirmationcode, or OATH OTP Client for the first challenge with a 12 hours pass-through duration.

3. Select an existing Authentication Profile or click Add Profile.

   The fields needed to add new profile.

   1. Type the authentication profile name.

   2. Select the types of authentication to present for the first challenge.

      Note: The second authentication is not needed. Challenge two is a third mechanism.

   3. Click OK.

      The pass-through option applies to Active Directory user MFA logins on systems that are joined to Active Directory.

      Only the authentication challenges that are applicable for a user can be presented. For example, you might select Phone call and Email confirmation code in the authentication profile, but these challenges are only valid if users have both a phone number and email address stored for their accounts. If users only have a phone number and not an email address stored, they will receive a phone call to complete the authentication process rather than be prompted to select an authentication option. If users have both a phone number and an email address stored, they will be prompted to select which form of authentication to use.

   • Select the authentication mechanism(s) you require and want to make available to users. Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. See Authentication mechanisms for information about each authentication mechanism. For example, you can require that the first challenge be the user’s account password. Then for the second challenge, users can choose between an email confirmation code, security question, or text message confirmation code.

   • If you have multiple challenges, Privileged Access Service waits until users enter all challenges before giving the authentication response(pass or fail). For example, if users enter the wrong password for the first challenge, we will not send the authentication failure message until after users respond to the second challenge.

   • If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that Privileged Access Service will not send the SMS/email or trigger the phone call. Contact support to change this configuration.

Assigning Login Authentication Profiles

The next step is to assign login authentication profiles. Do this by performing the following steps.

1. Click Access > Policies and Add Policy Set. Under Policy Settings, navigate to Login Policies. Choose between Linux, UNIX and Windows Servers and Windows Workstations.

2. Select Yes in the Enable authentication policy controls drop-down.Click Add Rule.

   The Authentication Rule window displays.

3. Click Add Rule on the Authentication Rule window.

4. Define the filter and condition using the drop-down boxes.

   

   For example, you can create a rule that requires a specific authentication method when users access Privileged Access Service from an IP address that is outside of your corporate IP range. Supported filters are:

   For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

   Filter	Description
   IP Address	The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.
   Day of Week	The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.
   Date	The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.
   Date Range	The authentication factor is a specific date range.
   Time Range	The authentication factor is a specific time range in hours and minutes.
   Device OS	The authentication factor is the device operating system.
   Country	The authentication factor is the country based on the IP address of the user computer.
   Risk Level	Risk Level: The authentication factor is the risk level of the user logging on to Admin Portal. For example, a user attempting to log in to Privileged Access Service from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact Delinea support. The supported risk level are: Non Detected -- No abnormal activities are detected. Low -- Some aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup. Medium -- Many aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup. High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced. Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.
   Managed Devices	The authentication factor is the designation of the device as “managed” or not. A mobile device is considered “managed” if it is managed by Privileged Access Service (MDM enrolled), or if it has a Privileged Access Service-trusted certificate authority (CA has been uploaded to your tenant using Admin Portal > Settings > Authentication > Certificate Authorities).

5. Click the Add button associated with the filter and condition.

6. Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.

7. The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select theAdd New Profile option.

8. Click OK.

9. Select a default profile to be applied if a user does not match any of the configured conditions in the Default Profile (used if no conditions matched) drop-down.

   If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.

10. Click Save.

11. If you have more than one authentication rule, you can prioritize them on the Login Authentication page.

Assigning Privilege Elevation (Re-authentication) Profile

Finally, you must assign privilege elevation profiles.

1. For Elevated Privileges Profile, click Privilege Elevation Policies > Privilege Elevation, select Yes for Enable authentication policy controls, and Add Rule > Add Filter, click Authentication Profilesand display the list of existing profiles and select a profile to use or click Add New Profile.

   You can use the same profile for server access, and to re-authenticate for roles and rights that require multi-factor authentication. However, if you want to specify different authentication challenges from which a user can select when executing UNIX commands or accessing Windows applications, select Add New Profile.

   As with the Login Authentication Profile, you can select multiple types of authentication to present for the first and second challenges. However, only the authentication challenges that are applicable for a user can be presented when the user attempts to access privileged Windows rights or execute UNIX commands with elevated privileges (dzdo) or in a restricted shell (dzsh).

2. Click Save.